Data Governance News: Updates for Small Businesses

Data governance is moving fast. Microsoft is tightening SharePoint storage policies, AI tools like Copilot are exposing data oversharing risks, and regulators worldwide are introducing new frameworks for AI governance and data management.

This page tracks the developments that matter for businesses managing their data. Updated regularly with Microsoft 365 policy changes, AI governance requirements, storage management updates, and regulatory shifts that affect how your organisation handles its information.

Bookmark this page. When Microsoft changes a policy or a new AI regulation takes effect, check here first.

Every item below links to its primary source so you can verify the detail and read further.

---

June 2026

UK: Every business must have a data complaints process from 19 June

The complaints-handling provisions of the Data (Use and Access) Act 2025 come into force on 19 June 2026. From this date, every UK organisation that handles personal data must have a formal process for dealing with data protection complaints from individuals — and the ICO has confirmed there is no exemption for small businesses.

In practice, the duty has four parts: provide a clear, accessible way for someone to raise a data protection complaint; acknowledge the complaint within 30 days; investigate it without undue delay while keeping the complainant informed; and communicate the outcome without undue delay. The procedure has to exist on paper before complaints arrive — it can't be improvised after the first one lands.

What to do: Publish a short complaints procedure (a paragraph on your privacy page plus an email address is enough for most small businesses), assign one named person or team to own it, and start a simple log that records when each complaint was received, acknowledged, investigated, and closed. This sits alongside your existing subject access request process — see boringdsar.com/guides/dsar-compliance for the related access-request obligations the same Act amends.

Source: ICO — How to deal with data protection complaints

Microsoft Purview tightens Copilot data protections

Microsoft shipped a round of Purview controls aimed squarely at the Copilot oversharing problem. Data Loss Prevention can now inspect Copilot prompts and web searches in real time — blocking Copilot from responding, or from using sensitive content as grounding, when a prompt itself contains regulated data. A new condition also lets administrators stop Copilot from using external email as grounding data, reducing the risk of prompt injection from untrusted senders. Alongside these, Purview added bulk remediation of overshared content and expanded Copilot dashboard analytics so admins can see usage and risk in one place. (The external-email control is in preview at launch.)

This is the continuation of a clear pattern through 2026: the governance gaps Copilot exposes are increasingly fixable from the admin centre rather than requiring third-party tooling. The bulk remediation feature in particular addresses the practical problem of finding thousands of overshared files but having no efficient way to fix them.

What to do: If you run Microsoft 365 Copilot, review the new DLP conditions for the Copilot location and enable prompt and external-email protections for your sensitivity labels. Run a bulk remediation pass on overshared content. If Copilot isn't deployed yet, treat these controls as part of the pre-rollout checklist — see data governance before AI and Microsoft 365 governance.

Source: Microsoft Learn — Learn about DLP for Microsoft 365 Copilot; Microsoft Learn — What's new in Microsoft Purview

SharePoint adds a Governance Reviews Dashboard

Microsoft began rolling out a Governance Reviews Dashboard (in private preview) that gives site owners a single place to see all pending governance tasks across the sites they own — inactivity checks, ownership validation, and site attestations — with due dates and enforcement status. It replaces the scatter of individual notification emails with one actionable surface, and where owners don't respond, sites can be automatically made read-only or archived.

For small businesses this matters because site attestation is the practical answer to permission sprawl: instead of an admin auditing every site, owners periodically confirm their site is still needed and its sharing settings are correct. The dashboard makes that recurring review something an owner can actually keep up with.

What to do: Once the dashboard reaches your tenant, set up recurring site attestation policies in the SharePoint admin center and decide your enforcement action for unattested sites (read-only is a safer default than auto-archive while owners get used to the process). Pair this with a periodic SharePoint permissions audit for the sites that hold sensitive content.

Source: Microsoft — What's new in content governance in SharePoint, OneDrive, and Teams for the AI era

Kentucky's privacy-assessment duty takes effect

The data protection assessment requirements of the Kentucky Consumer Data Protection Act apply to processing activities carried out on or after 1 June 2026. Businesses covered by the Act must document an assessment before high-risk processing — targeted advertising, selling personal data, certain profiling, and processing sensitive data.

Most genuinely small businesses fall below Kentucky's thresholds (controlling or processing data on 100,000+ residents, or 25,000+ with more than half of revenue from selling data), so this is context rather than an action item for the typical reader. It's worth noting as part of a wider 2026 trend: documented risk assessments are becoming standard across US state privacy laws. Connecticut, Utah, and Arkansas privacy provisions follow on 1 July 2026.

What to do: If you operate across multiple US states, check whether you meet any state's threshold rather than assuming small size exempts you. A single data inventory covering what you collect, why, and who you share it with is the document most of these assessments build on.

Sources: Akin Gump — Kentucky Data Protection Act: what businesses need to know; MultiState — Comprehensive privacy laws taking effect in 2026

---

May 2026

EU provisionally agrees to delay high-risk AI Act deadlines

On 7 May 2026, negotiators from the Council, Parliament, and Commission reached a provisional agreement on the "Digital Omnibus" — the first set of amendments to the EU AI Act since it was adopted in 2024. The headline change is timing relief: the compliance deadline for high-risk AI systems under Annex III is deferred from 2 August 2026 to 2 December 2027, and the obligation to machine-mark AI-generated synthetic content moves from August to 2 December 2026. The package also adds new prohibitions, including AI systems that generate non-consensual intimate imagery, from December 2026.

For businesses that deploy AI tools, this removes the near-term August 2026 pressure point — but "provisional" is the operative word. The agreement still needs formal adoption, and the underlying obligations have been postponed, not cancelled.

What to do: If you were preparing for an August 2026 high-risk deadline, you have more runway, but don't shelve the work. Most small businesses using off-the-shelf AI tools are deployers rather than providers; the governance foundations — knowing what your AI can access and what data it surfaces — matter regardless of the regulatory timeline. See the August 2025 entry below for the original timeline this amends.

Source: Council of the EU — Artificial intelligence: Council and Parliament agree to simplify and streamline rules

Google Workspace adds an AI Control Center and AI-aware DLP

Google rolled out an AI control center for Workspace — a central place for admins to govern what generative AI and agents are allowed to access across Docs, Gmail, Drive, and other services. Organisations can now enable or disable specific data sources for AI features at the org level, and Data Loss Prevention rules can gate which data feeds AI. Google Vault retention and legal holds were also extended to cover the Gemini app, bringing AI interactions into the same eDiscovery and retention controls as the rest of Workspace.

This is the Google Workspace counterpart to the Purview controls Microsoft has been shipping for Copilot: the same recognition that AI features make existing access and sharing problems visible, and that governing them belongs in the admin console. For the substantial share of small businesses on Workspace rather than Microsoft 365, this is the first real set of native controls for AI data access.

What to do: If you run Google Workspace, review the AI control center, decide which services should feed AI features, and set DLP rules to keep sensitive content out of AI grounding. Extend Vault retention to the Gemini app so AI interactions fall under your existing retention policy.

Sources: Google Workspace Updates — Securely manage AI and agent access with the AI control center; Google Workspace Updates — Vault retention and holds for the Gemini app

---

April 2026

SharePoint external sharing moves to Entra B2B guest accounts

Microsoft is retiring the legacy SharePoint "one-time passcode" experience for external sharing and moving all SharePoint and OneDrive external sharing to Microsoft Entra B2B, where each external person is added as a guest account in your directory. Tenants could manually enable the integration through the end of April 2026; from May 2026 Microsoft began switching remaining tenants automatically, and the change can't be opted out of. External users without a B2B guest account will start seeing "access denied" on previously shared links from July 2026.

The upside is genuine governance: guest accounts give you a single, auditable list of every external person with access, conditional-access enforcement, and clean revocation — far better than anonymous passcode links that linger forever. The risk is disruption — a supplier, accountant, or client could lose access to shared files mid-2026 if they were never converted to a guest.

What to do: Run the external sharing report in the SharePoint admin center to see who has access through the old experience, and make sure those people have B2B guest accounts before July 2026 so nothing breaks. Review the guest list while you're there — it doubles as a permissions audit.

Source: Microsoft Learn — SharePoint and OneDrive integration with Microsoft Entra B2B (FAQ)

Purview DLP can now target files by created or modified date

Microsoft Purview Data Loss Prevention for SharePoint and OneDrive added "file created" and "last modified" date conditions, letting administrators scope DLP and auto-labelling policies by a document's age. You can apply stricter protection to recently edited files, or sweep up stale content that hasn't been touched in years.

It's a small change with a practical payoff for small teams: core SharePoint and OneDrive DLP is included in Microsoft 365 Business Premium and E3 (not just E5), so date-aware policies are within reach without an enterprise licence.

What to do: If you already run a DLP policy on SharePoint or OneDrive, check whether a "last modified" condition would help you focus protection on active sensitive files — or flag stale ones for review and archival.

Source: Microsoft Learn — What's new in Microsoft Purview

---

March 2026

Australia: 100,000+ small businesses lose privacy exemption from July

Australia's privacy reforms will strip the small business exemption from businesses in newly regulated industries starting 1 July 2026. Lawyers, accountants, real estate agents, conveyancers, and dealers in high-value goods — the "tranche 2" entities brought under anti-money-laundering rules — will be required to comply with the Privacy Act for the first time, regardless of revenue. Previously, businesses with annual turnover under $3 million were exempt.

This is a significant expansion of privacy obligations for affected small businesses. They will need to meet the same data handling, breach notification, and individual rights requirements as larger organisations — including responding to access requests and maintaining records of personal information handling.

What to do: If your business falls into one of the newly regulated categories, start preparing now. At minimum: conduct a data inventory, draft a privacy policy, establish a process for handling access requests, and train staff on the basics. The OAIC has begun publishing guidance for newly covered businesses ahead of the July deadline.

Source: OAIC — Know your privacy obligations under the AML/CTF Act

SharePoint sharing links now support automatic expiration

Microsoft rolled out the ability to set organisation-wide expiration policies for "People in your organisation" sharing links in SharePoint and OneDrive. Administrators can now configure a maximum lifespan for internal sharing links, after which access is automatically revoked.

Previously, internal sharing links lived forever — anyone with the link retained access indefinitely. This was one of the biggest sources of permission sprawl and a core reason permissions audits consistently find over-shared content.

What to do: Set an expiration policy in the SharePoint admin center. A 90-day default is a reasonable starting point for most businesses — long enough for active collaboration, short enough to limit lingering access.

Source: Microsoft 365 Roadmap — Feature ID 553220 (expiration for "People in your organization" links)

EDPB launches 2026 coordinated enforcement on transparency

The European Data Protection Board announced its 2026 Coordinated Enforcement Framework (CEF) action, with 25 Data Protection Authorities across Europe jointly assessing compliance with GDPR transparency obligations under Articles 12 to 14. This follows previous coordinated actions on the right of access (2024) and the role of data protection officers (2023).

The focus on transparency means regulators will be scrutinising privacy notices, information provided at the point of data collection, and how clearly organisations communicate their data practices. For businesses serving EU customers — including those in the UK, Ireland, and other English-speaking jurisdictions — unclear or outdated privacy notices are now a higher enforcement priority.

What to do: Review privacy notices and data collection forms. Ensure they clearly state what data is collected, why, how long it is kept, and who to contact. If the privacy policy has not been updated since 2018, it is overdue.

Source: EDPB — CEF 2026: coordinated enforcement action on transparency and the right to information

---

February 2026

Microsoft retires standalone SharePoint and OneDrive plans

Microsoft announced it will retire standalone SharePoint Online Plan 1 and Plan 2, and OneDrive for Business Plan 1 and Plan 2 licenses. Sales cease on 31 May 2026, with no contract renewals after January 2027. Service continues until December 2029.

This pushes all customers toward Microsoft 365 suite licenses — which include more storage but at higher per-user costs. For small businesses currently on standalone SharePoint plans, this is a forced migration that requires planning.

What to do: Review your current SharePoint and OneDrive licensing. If you are on standalone plans, start evaluating Microsoft 365 Business Basic ($6/user/month) or Business Standard ($12.50/user/month) as replacements. Factor in total cost of ownership including the additional services bundled in suite licenses.

Source: Microsoft — Partner Center announcements, January 2026

NIST launches AI Agent Standards Initiative

In February 2026, NIST officially released the AI Agent Standards Initiative, marking the beginning of standardisation work for AI agents — systems that can take autonomous actions on behalf of users. It is run through NIST's Center for AI Standards and Innovation and builds on NIST's broader AI standards work, including the AI Risk Management Framework (AI RMF 1.0).

For businesses deploying AI tools like Microsoft Copilot or third-party AI agents, these emerging standards will shape future compliance expectations. Data governance foundations — knowing where your data is, who can access it, and how it is classified — are prerequisites for any AI agent deployment.

What to do: Review the NIST AI RMF 1.0 and consider how your data governance practices align with its risk management principles. Organisations with strong data governance will be better positioned when formal AI agent standards arrive.

Source: NIST — Announcing the AI Agent Standards Initiative

---

January 2026

Three more US states' privacy laws take effect

On 1 January 2026, comprehensive consumer privacy laws took effect in Indiana, Kentucky, and Rhode Island, bringing the number of US states with comprehensive privacy laws to 20. Each gives residents rights to access, correct, delete, and opt out of the sale of their personal data, and requires covered businesses to post clear privacy notices and honour those requests.

Most carry the now-familiar thresholds (typically processing the data of 100,000+ state residents, or 25,000+ while earning significant revenue from selling data), so the smallest businesses often fall outside them. But the direction of travel is what matters: the patchwork keeps growing, and a business serving customers in several states can be caught by one law even when it's exempt under another.

What to do: If you sell to consumers across US states, don't assume your size exempts you everywhere — check each state where you have meaningful customer numbers. A single data inventory and a clear, current privacy notice cover most of what these laws require.

Source: IAPP — New year, new rules: US state privacy requirements coming online as 2026 begins

---

December 2025

Trump signs AI executive order targeting state AI laws

On 11 December 2025, President Trump signed an executive order titled "Ensuring a National Policy Framework for Artificial Intelligence." The order directs the Department of Justice to establish an AI Litigation Task Force to challenge state AI laws deemed inconsistent with federal policy, and threatens federal funding restrictions for states with "onerous" AI regulations.

This creates uncertainty for businesses navigating the growing patchwork of state-level AI laws. While the order aims to simplify compliance by establishing a uniform federal framework, the transition period may produce conflicting requirements as state and federal policies are reconciled.

What to do: Track which state AI laws may be affected by federal preemption. If your organisation operates across multiple US states, a unified approach to AI governance is increasingly important.

Source: The White House — Presidential action on national AI policy (11 December 2025)

---

November 2025

Microsoft Ignite 2025: Copilot governance and security updates

At Ignite 2025, Microsoft announced expanded security and governance tools for Microsoft 365 Copilot. Key updates include Microsoft Purview Data Loss Prevention (DLP) for Copilot reaching general availability — blocking Copilot from processing files and emails with specific sensitivity labels — and expanded data risk assessments with item-level investigation and bulk remediation of overshared links.

These tools address the oversharing problem that Copilot has made impossible to ignore. Concentric AI's Data Risk Report found that 16% of business-critical data is overshared on average, totalling roughly 802,000 files per organisation at risk. When Copilot can surface any content a user has access to, broadly shared files become a liability.

What to do: If you use Microsoft 365 Copilot, enable Purview DLP policies to restrict Copilot's access to sensitive content. Run a data risk assessment from the Microsoft 365 admin centre to identify overshared files and sites.

Sources: Microsoft — Security and governance innovations for Microsoft 365 Copilot from Ignite; Concentric AI — Data Risk Report (oversharing statistics)

Microsoft 365 Archive eliminates reactivation fees

Microsoft eliminated reactivation fees for Microsoft 365 Archive content effective 31 March 2025, making it cheaper to move inactive SharePoint content to cold storage and bring it back when needed. Archive storage costs up to 75% less than standard SharePoint storage ($0.05/GB/month versus the $0.20/GB/month overage rate).

For organisations hitting SharePoint storage limits, Archive provides a way to reduce costs without deleting data. File-level archiving — allowing individual documents to be archived without taking entire sites offline — reached public preview at the end of March 2026, with GA targeted for July 2026.

What to do: Identify inactive SharePoint sites consuming storage. Move them to Microsoft 365 Archive to free up pooled storage and avoid the $0.20/GB/month overage charges. Each Microsoft 365 tenant gets 1 TB plus 10 GB per licensed user of pooled SharePoint storage — anything above that costs real money.

Source: Microsoft — Microsoft 365 Archive eliminates reactivation fees by March 31, 2025

---

August 2025

EU AI Act: General-purpose AI obligations take effect

The EU AI Act's obligations for general-purpose AI (GPAI) models took effect on 2 August 2025. Providers of GPAI models must now comply with transparency requirements including maintaining technical documentation, publishing content usage policies, and implementing copyright compliance measures.

The next major milestone was originally 2 August 2026, when obligations for high-risk AI systems in Annex III and transparency rules under Article 50 were due to come into force. Penalties for non-compliance are significant: up to €35 million or 7% of worldwide turnover for prohibited practices.

Update (May 2026): EU negotiators have provisionally agreed to defer the high-risk (Annex III) deadline to December 2027 — see the May 2026 entry above.

What to do: If your organisation develops or deploys AI systems that serve EU users, review the EU AI Act risk classification. Most businesses using off-the-shelf AI tools like Copilot are deployers rather than providers, but deployers of high-risk AI systems will have their own obligations once the deadline arrives.

Source: European Commission — Regulatory framework on AI

---

Late 2024 — Early 2025

Trump rescinds Biden AI executive order

On 20 January 2025, President Trump rescinded Executive Order 14110 — Biden's "Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence" order from October 2023. Three days later, he signed Executive Order 14179, "Removing Barriers to American Leadership in Artificial Intelligence," signalling a shift from oversight and risk mitigation toward deregulation and innovation promotion.

For businesses, this means less federal guidance on AI risk management but potentially fewer compliance obligations at the federal level. State-level AI laws continue to develop independently, and the EU AI Act applies regardless of US federal policy.

Source: The White House — Removing Barriers to American Leadership in Artificial Intelligence (EO 14179)

SharePoint Advanced Management bundled with Copilot licenses

From January 2025, Microsoft began bundling SharePoint Advanced Management (SAM) features with Microsoft 365 Copilot licenses. SAM provides data access governance reports, site access reviews, and oversharing detection — tools that help organisations identify and remediate the data governance gaps that Copilot makes visible.

Previously a separate add-on, SAM's inclusion with Copilot licenses reflects Microsoft's acknowledgement that AI readiness requires better data governance. Site access reviews allow administrators to delegate the review of overshared sites to site owners directly.

What to do: If you have Copilot licenses, enable SharePoint Advanced Management and run data access governance reports. These reports identify sites with broadly shared content — the same content Copilot can surface to any user with access.

Source: Microsoft Learn — SharePoint Advanced Management licensing

EU AI Act: Prohibited AI practices take effect

The first binding obligations under the EU AI Act took effect on 2 February 2025, prohibiting AI systems that pose unacceptable risks. These include AI systems that use subliminal manipulation techniques, exploit vulnerabilities of specific groups, enable social scoring by public authorities, and deploy real-time biometric identification in public spaces (with limited exceptions).

While most small businesses are unlikely to deploy prohibited AI systems, the broader message is clear: AI governance is becoming a regulatory requirement, not a best practice.

Source: European Commission — Guidelines on prohibited AI practices

---